Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Bug Bounty Programs Turn Attention to Data Abuse

More companies – particularly social media firms – may follow Facebook’s footsteps in turning to bug bounty programs to scout out any data privacy abuse on their platforms, experts say.

More companies – particularly social media firms – may follow Facebook’s footsteps in turning to bug bounty programs to scout out any data privacy abuse on their platforms, experts say.

On the heels of Facebook’s Cambridge-Analytica scandal in March, the social media giant launched a “Data Abuse Bounty Program” in an attempt to crackdown on data misuse by third-party app developers.

This past week, the program was put to good use after a bounty hunter working through the program spotted a popular Facebook app that was exposing the personal data – including private information, friends, posts and photos – of millions.

“I think that’s an extension of the idea of crowdsourcing as a way to get work done.” Casey Ellis, CTO and founder of Bugcrowd, told Threatpost. “What we’re focused on in bug bounty is mostly the identification of vulnerabilities in code, but what Facebook did with the privacy bounty after Cambridge Analytica, was mostly to use people that have this critical hacker-mindset to solve this issue that they have.”

Facebook in March first made the announcement it was expanding its bug bounty program: “Facebook’s bug bounty program will expand so that people can also report to us if they find misuses of data by app developers. We are beginning work on this and will have more details as we finalize the program updates in the coming weeks,” wrote Ime Archibong, VP of platform partnerships at Facebook, at the time in a post on the Facebook for Developers blog.

Facebook said that it hopes the program will incentivize anyone to report apps collecting user data and passing it off to malicious parties to be exploited.

In an outline of its data abuse bug bounty program, Facebook said it is looking for any situation where a third-party app currently or formerly operating on Facebook collected data from users and then bought, sold, disclosed, transferred, or used Facebook user data in any manner prohibited by its data privacy policies. Should malicious apps be found, Facebook said it would result in termination of the application from the platform.

“It’s an interesting development as an extension to data use and privacy,” Amit Elazari, an expert in the policies and legalese surrounding bug bounty programs, told Threatpost.

The program seems to be working in drawing in interested white hat hackers, at least for Inti De Ceukelaire, who published a post on his findings through the bug bounty program on Wednesday.

Ceukelaire said that he found that 120 million users’ data was exposed on a quiz app owned by Nametests.com. The ethical hacker noticed the website would fetch his personal information and display it on the webpage, nametests[.]com/appconfig_user. The data was then available for other sites to swipe it, he said.

The researcher said he reported the flaw to Facebook’s Data Abuse program on April 22, and noticed the issue was fixed June 25. Ceukelaire said at his request, Facebook donated $8,000 to the Freedom of the Press Foundation as part of their Data Abuse Bounty Program.

“I have mixed feelings about this one. I am glad both Facebook and NameTests cooperated and resolved the issue,” he said. “On the other hand, we cannot accept that the information of hundreds of millions of users could have been leaked out so easily. We can and must do better.”

Craig Young, computer security researcher for Tripwire, said “it’s possible that this could be the start of a trend toward more policy-oriented bug bounties from social media platforms.”

“[The program] really makes a lot of sense to me,” he said. “By expanding their bounty program to include data misuse by app developers, Facebook may have found a way to mobilize their community to self-police. It will be interesting to see if this if spurs new bug bounty participation including people less technical than the typical bug hunter.”

Ellis, for his part, told Threatpost he sees the program extension as an emerging trend for other social media website in the future, particularly as data privacy becomes a bigger issue.

“That’s a new idea and I think it will ramp up slowly but I do see that growing over time as well,” Ellis said.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.